@infoxchange/make-it-so 2.10.0-internal-testing-vdt-199-add-oidc-auth.7 → 2.10.0-internal-testing-vdt-199-add-oidc-auth-2.1

package/README.md

@@ -13,8 +13,6 @@ npm --save-dev @infoxchange/make-it-so
 yarn add --dev @infoxchange/make-it-so
 ```
 
-
-
 ## Features
 
 ### deployConfig
@@ -292,6 +290,30 @@ const vpcDetails = new IxVpcDetails(scope, "VpcDetails");
 
 </details>
 
+<details>
+<summary><strong>CloudFrontOidcAuth</strong> - Adds OIDC authentication to a CloudFront distribution.</summary>
+
+```typescript
+import { CloudWatchOidcAuth } from "@infoxchange/make-it-so/cdk-constructs";
+
+// You first create an instance of CloudFrontOidcAuth
+const auth = new CloudFrontOidcAuth(stack, "CloudFrontOidcAuth", {
+  oidcIssuerUrl: "https://your-oidc-server.com/path/",
+  oidcClientId: "your-client-id",
+  oidcScope: "email",
+});
+
+// Then you apply it to the a CloudFront backed site when it's created
+const site = new IxStaticSite(stack, "IxStaticSite", {
+  path: "path/to/site/files",
+  cdk: {
+    distribution: auth.addToDistributionDefinition(stack, {
+      distributionDefinition: {},
+    }),
+  },
+});
+```
+
 ## Full Example
 
 To deploy a Next.js based site you would include a `sst.config.ts` file at the root of repo with contents like this:

package/dist/cdk-constructs/CloudFrontOidcAuth/auth-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-check.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudFrontOidcAuth/auth-check.ts"],"names":[],"mappings":""}

package/dist/cdk-constructs/CloudFrontOidcAuth/auth-route.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudFrontOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAiCnB,CAAC"}

package/dist/cdk-constructs/{CloudWatchOidcAuth → CloudFrontOidcAuth}/auth-route.js

@@ -24,8 +24,7 @@ export const handler = addRequiredContext(AuthHandler({
             issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
             clientID: oidcClientId,
             scope: oidcScope,
-            onSuccess: async (tokenset, client) => {
-                console.log("🟢", client);
+            onSuccess: async (tokenset) => {
                 // Payload to include in the token
                 const payload = {
                     userID: tokenset.claims().sub,
@@ -52,11 +51,9 @@ export const handler = addRequiredContext(AuthHandler({
 }));
 function addRequiredContext(handler) {
     return async function (...args) {
-        const [event, context] = args;
+        const [event] = args;
         // Used by AuthHandler to create callback url sent to oidc server
         event.requestContext.domainName = event.headers["x-forwarded-host"];
-        console.log("🟢 event", event);
-        console.log("🔵 context", context);
         return await handler(...args);
     };
 }

package/dist/cdk-constructs/{CloudWatchOidcAuth → CloudFrontOidcAuth}/index.d.ts

@@ -10,7 +10,7 @@ type Props = {
     oidcClientId: string;
     oidcScope: string;
 };
-export declare class CloudWatchOidcAuth extends Construct {
+export declare class CloudFrontOidcAuth extends Construct {
     readonly oidcIssuerUrl: string;
     readonly oidcClientId: string;
     readonly oidcScope: string;

package/dist/cdk-constructs/{CloudWatchOidcAuth → CloudFrontOidcAuth}/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AASvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAI1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CACzB,iBAAiB,SAAS,4BAA4B,EAEtD,KAAK,EAAE,cAAc,EACrB,EACE,sBAAsB,EACtB,MAAgB,GACjB,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IA6C5E,OAAO,CAAC,sBAAsB;IAyH9B,OAAO,CAAC,sBAAsB;CA0E/B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudFrontOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AASvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAI1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CACzB,iBAAiB,SAAS,4BAA4B,EAEtD,KAAK,EAAE,cAAc,EACrB,EACE,sBAAsB,EACtB,MAAgB,GACjB,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAuC5E,OAAO,CAAC,sBAAsB;IA8H9B,OAAO,CAAC,sBAAsB;CA8E/B"}

package/dist/cdk-constructs/{CloudWatchOidcAuth → CloudFrontOidcAuth}/index.js

@@ -9,7 +9,7 @@ import { Config as SSTInternalConfig } from "sst/config.js";
 import CloudFrontOrigins from "aws-cdk-lib/aws-cloudfront-origins";
 import path from "node:path";
 import fs from "node:fs";
-export class CloudWatchOidcAuth extends Construct {
+export class CloudFrontOidcAuth extends Construct {
     oidcIssuerUrl;
     oidcClientId;
     oidcScope;
@@ -22,7 +22,6 @@ export class CloudWatchOidcAuth extends Construct {
         this.id = id;
     }
     addToDistributionDefinition(scope, { distributionDefinition, prefix = "/auth", }) {
-        console.log("------", import.meta.dirname, import.meta.url, import.meta.filename);
         const updatedDistributionDefinition = { ...distributionDefinition };
         const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
         updatedDistributionDefinition.additionalBehaviors =
@@ -126,18 +125,20 @@ export class CloudWatchOidcAuth extends Construct {
             throw new Error("Could not find the underlying Lambda function of the AwsCustomResource");
         }
         fn.addEnvironment("NODE_OPTIONS", "--require=@aws-sdk/signature-v4-crt");
-        const edgeFuncAuthCheck = new CloudFront.Function(scope, `${this.id}AuthCheckFunction`, {
-            code: CloudFront.FunctionCode.fromInline(fs.readFileSync(path.join(import.meta.dirname, "auth-check.js"), "utf8").replace("__placeholder-for-jwt-secret-key__", key)),
+        const authCheckFunction = new CloudFront.Function(scope, `${this.id}AuthCheckFunction`, {
+            code: CloudFront.FunctionCode.fromInline(fs
+                .readFileSync(path.join(import.meta.dirname, "auth-check.js"), "utf8")
+                .replace("__placeholder-for-jwt-secret-key__", key)),
             runtime: CloudFront.FunctionRuntime.JS_2_0,
             keyValueStore: cfKeyValueStore,
         });
         return {
-            function: edgeFuncAuthCheck,
+            function: authCheckFunction,
             eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
         };
     }
     getAuthBehaviorOptions(scope, jwtSecret, prefix) {
-        const edgeFuncAuth = new SST.Function(scope, `${this.id}EdgeFunctionAuth`, {
+        const authRouteFunction = new SST.Function(scope, `${this.id}AuthRouteFunction`, {
             runtime: "nodejs20.x",
             handler: path.join(import.meta.dirname, "auth-route.handler"),
             environment: {
@@ -147,7 +148,7 @@ export class CloudWatchOidcAuth extends Construct {
                 JWT_SECRET: jwtSecret.secretValue.toString(),
             },
         });
-        // edgeFuncAuth uses SST's AuthHandler construct which is normally run inside a lambda that's
+        // authRouteFunction uses SST's AuthHandler construct which is normally run inside a lambda that's
         // created by SST's Auth construct. AuthHandler expects certain environment variables to be set
         // by the Auth construct so we have to set them ourselves here to keep it happy.
         const envVarName = SSTInternalConfig.envFor({
@@ -155,8 +156,8 @@ export class CloudWatchOidcAuth extends Construct {
             id: "id", // It seems like the env var will still be found no matter what this value is
             prop: "prefix",
         });
-        edgeFuncAuth.addEnvironment(envVarName, prefix);
-        const edgeFuncAuthUrl = edgeFuncAuth.addFunctionUrl({
+        authRouteFunction.addEnvironment(envVarName, prefix);
+        const authRouteFunctionUrl = authRouteFunction.addFunctionUrl({
             authType: Lambda.FunctionUrlAuthType.NONE,
         });
         const forwardHostHeaderCfFunction = new CloudFront.Function(scope, `${this.id}ForwardHostHeaderFunction`, {
@@ -170,7 +171,7 @@ export class CloudWatchOidcAuth extends Construct {
             runtime: CloudFront.FunctionRuntime.JS_2_0,
         });
         return {
-            origin: new CloudFrontOrigins.HttpOrigin(CDK.Fn.parseDomainName(edgeFuncAuthUrl.url)),
+            origin: new CloudFrontOrigins.HttpOrigin(CDK.Fn.parseDomainName(authRouteFunctionUrl.url)),
             allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
             cachePolicy: new CloudFront.CachePolicy(scope, `${this.id}AllowAllCookiesPolicy`, {
                 cachePolicyName: "AllowAllCookiesPolicy",

package/dist/cdk-constructs/index.d.ts

@@ -6,5 +6,5 @@ export * from "./IxStaticSite.js";
 export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
-export * from "./CloudWatchOidcAuth/index.js";
+export * from "./CloudFrontOidcAuth/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/cdk-constructs/index.js

@@ -6,4 +6,4 @@ export * from "./IxStaticSite.js";
 export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
-export * from "./CloudWatchOidcAuth/index.js";
+export * from "./CloudFrontOidcAuth/index.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@infoxchange/make-it-so",
-  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.7",
+  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth-2.1",
   "description": "Makes deploying services to IX infra easy",
   "repository": "github:infoxchange/make-it-so",
   "type": "module",
@@ -30,6 +30,7 @@
     "@commitlint/prompt-cli": "^19.3.1",
     "@eslint/js": "^9.3.0",
     "@tsconfig/node21": "^21.0.3",
+    "@types/aws-cloudfront-function": "^1.0.6",
     "@types/jsonwebtoken": "^9.0.10",
     "aws-cdk-lib": "2.142.1",
     "constructs": "^10.3.0",
@@ -51,8 +52,6 @@
     "sst": "^2.0.0"
   },
   "dependencies": {
-    "@aws-sdk/client-lambda": "^3.920.0",
-    "@types/aws-cloudfront-function": "^1.0.6",
     "jsonwebtoken": "^9.0.2",
     "zod": "^3.24.2"
   }

package/src/cdk-constructs/{CloudWatchOidcAuth → CloudFrontOidcAuth}/auth-check.ts

@@ -72,7 +72,13 @@ function _constantTimeEquals(a: string, b: string) {
   return 0 === xor;
 }
 
-function _verify(input: string, key: string, method: string, type: string, signature: string) {
+function _verify(
+  input: string,
+  key: string,
+  method: string,
+  type: string,
+  signature: string,
+) {
   if (type === "hmac") {
     return _constantTimeEquals(signature, _sign(input, key, method));
   } else {
@@ -97,7 +103,8 @@ async function handler(event: AWSCloudFrontFunction.Event) {
     throw new Error("Error retrieving JWT secret key");
   }
 
-  const jwtToken = request.cookies["auth-token"] && request.cookies["auth-token"].value;
+  const jwtToken =
+    request.cookies["auth-token"] && request.cookies["auth-token"].value;
 
   if (!jwtToken) {
     log("Error: No JWT in the cookies");
@@ -130,18 +137,18 @@ const log: typeof console.log = function () {
 
   // CloudFront Function runtime only prints first argument passed to console.log so add other args to the first one if given.
   // eslint-disable-next-line prefer-rest-params -- We can't use spread or rest parameters in CloudFront Functions
-  let message = arguments[0]
+  let message = arguments[0];
   if (arguments.length > 1) {
     const otherArgs = [];
     for (let i = 1; i < arguments.length; i++) {
       // eslint-disable-next-line prefer-rest-params
-      otherArgs[i-1] = arguments[i];
+      otherArgs[i - 1] = arguments[i];
     }
 
     message += " - additional args: " + JSON.stringify(otherArgs);
   }
   console.log(message);
-}
+};
 
 // This serves no purpose other than to make TypeScript and eslint happy by showing that that handler is used. We can't
 // export handler as an alterative because CloudFront Functions don't support exports.

package/src/cdk-constructs/{CloudWatchOidcAuth → CloudFrontOidcAuth}/auth-route.ts

@@ -30,8 +30,7 @@ export const handler = addRequiredContext(
         issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
         clientID: oidcClientId,
         scope: oidcScope,
-        onSuccess: async (tokenset, client) => {
-          console.log("🟢", client);
+        onSuccess: async (tokenset) => {
           // Payload to include in the token
           const payload = {
             userID: tokenset.claims().sub,
@@ -39,14 +38,10 @@ export const handler = addRequiredContext(
           const expiresInMs = 1000 * 60 * 60;
 
           // Create the token
-          const token = jwt.sign(
-            payload,
-            jwtSecret,
-            {
-              algorithm: "HS256",
-              expiresIn: expiresInMs / 1000,
-            }
-          );
+          const token = jwt.sign(payload, jwtSecret, {
+            algorithm: "HS256",
+            expiresIn: expiresInMs / 1000,
+          });
           const expiryDate = new Date(Date.now() + expiresInMs);
           return {
             statusCode: 302,
@@ -63,13 +58,13 @@ export const handler = addRequiredContext(
   }),
 );
 
-function addRequiredContext(handler: ReturnType<typeof AuthHandler>): ReturnType<typeof AuthHandler> {
+function addRequiredContext(
+  handler: ReturnType<typeof AuthHandler>,
+): ReturnType<typeof AuthHandler> {
   return async function (...args) {
-    const [event, context] = args;
+    const [event] = args;
     // Used by AuthHandler to create callback url sent to oidc server
     event.requestContext.domainName = event.headers["x-forwarded-host"];
-    console.log("🟢 event", event)
-    console.log("🔵 context", context)
 
     return await handler(...args);
   };

package/src/cdk-constructs/CloudFrontOidcAuth/cloudfront.d.ts

@@ -0,0 +1,245 @@
+// NOTE: once this is no longer needed we can remove typeRoots from tsconfig.json as well
+
+// This is a copy of @types/aws-cloudfront-function but with optional kvsId in kvs() function. We can't just modify the
+// kvs type since we can't modify the default export without messing up the rest of the types. Which is why we
+// unfortunately have to duplicate the whole file here.
+// But once https://github.com/DefinitelyTyped/DefinitelyTyped/issues/73959 is sorted we can get rid of this.
+
+declare namespace AWSCloudFrontFunction {
+  interface Event {
+    version: "1.0";
+    context: Context;
+    viewer: Viewer;
+    request: Request;
+    response: Response;
+  }
+
+  interface Context {
+    distributionDomainName: string;
+    distributionId: string;
+    eventType: "viewer-request" | "viewer-response";
+    requestId: string;
+  }
+
+  interface Viewer {
+    ip: string;
+  }
+
+  interface Request {
+    method: string;
+    uri: string;
+    querystring: ValueObject;
+    headers: ValueObject;
+    cookies: ValueObject;
+  }
+
+  interface Response {
+    statusCode: number;
+    statusDescription?: string;
+    headers?: ValueObject;
+    cookies?: ResponseCookie;
+    body?: string | ResponseBody;
+  }
+
+  interface ResponseBody {
+    data: string;
+    encoding: "text" | "base64";
+  }
+
+  interface ValueObject {
+    [name: string]: {
+      value: string;
+      multiValue?: Array<{
+        value: string;
+      }>;
+    };
+  }
+
+  interface ResponseCookie {
+    [name: string]: {
+      value: string;
+      attributes: string;
+      multiValue?: Array<{
+        value: string;
+        attributes: string;
+      }>;
+    };
+  }
+}
+
+declare module "cloudfront" {
+  /**
+   * Retrieves a reference to a CloudFront Key-Value Store (KVS) by its ID.
+   * @param kvsId The identifier of the KVS to use.
+   * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/functions-custom-methods.html
+   */
+  function kvs(kvsId?: string): KVStore;
+
+  interface KVStore {
+    /**
+     * Retrieve a value from the store.
+     * @param key Key to retrieve.
+     * @throws If key does not exist.
+     */
+    get(key: string): Promise<string>;
+    get(key: string, options: { format: "string" }): Promise<string>;
+    get(key: string, options: { format: "bytes" }): Promise<Uint8Array>;
+    get(key: string, options: { format: "json" }): Promise<unknown>;
+
+    /**
+     * Check if the key exists in the store.
+     * @param key Key to check.
+     */
+    exists(key: string): Promise<boolean>;
+
+    /**
+     * Retrieve metadata about the key-value store.
+     */
+    meta(): Promise<{
+      creationDateTime: string;
+      lastUpdatedDateTime: string;
+      keyCount: number;
+    }>;
+  }
+
+  interface OriginAccessControlConfig {
+    enabled: boolean;
+    signingBehavior: "always" | "never" | "no-override";
+    signingProtocol: "sigv4";
+    originType: "s3" | "mediapackagev2" | "mediastore" | "lambda";
+  }
+
+  interface OriginShield {
+    enabled: boolean;
+    region: string;
+  }
+
+  interface Timeouts {
+    /**
+     * Max time (seconds) to wait for a response or next packet. (1–60)
+     */
+    readTimeout?: number;
+
+    /**
+     * Max time (seconds) to keep the connection alive after response. (1–60)
+     */
+    keepAliveTimeout?: number;
+
+    /**
+     * Max time (seconds) to wait for connection establishment. (1–10)
+     */
+    connectionTimeout?: number;
+  }
+
+  interface CustomOriginConfig {
+    /**
+     * Port number of the origin. e.g., 80 or 443
+     */
+    port: number;
+
+    /**
+     * Protocol used to connect. Must be "http" or "https"
+     */
+    protocol: "http" | "https";
+
+    /**
+     * Minimum TLS/SSL version to use for HTTPS connections.
+     */
+    sslProtocols: Array<"SSLv3" | "TLSv1" | "TLSv1.1" | "TLSv1.2">;
+  }
+
+  interface UpdateRequestOriginParams {
+    /**
+     * New origin's domain name. Optional if reusing existing origin's domain.
+     */
+    domainName?: string;
+
+    /**
+     * Path prefix to append when forwarding request to origin.
+     */
+    originPath?: string;
+
+    /**
+     * Override or clear custom headers for the origin request.
+     */
+    customHeaders?: Record<string, string>;
+
+    /**
+     * Number of connection attempts (1–3).
+     */
+    connectionAttempts?: number;
+
+    /**
+     * Origin Shield configuration. Enables shield layer if specified.
+     */
+    originShield?: OriginShield;
+
+    /**
+     * Origin Access Control (OAC) configuration.
+     */
+    originAccessControlConfig?: OriginAccessControlConfig;
+
+    /**
+     * Response and connection timeout configurations.
+     */
+    timeouts?: Timeouts;
+
+    /**
+     * Settings for non-S3 origins or S3 with static website hosting.
+     */
+    customOriginConfig?: CustomOriginConfig;
+  }
+
+  /**
+   * Mutates the current request’s origin.
+   * You can specify a new origin (e.g., S3 or ALB), change custom headers, enable OAC, or enable Origin Shield.
+   * Missing fields will inherit values from the assigned origin.
+   * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.html#update-request-origin-helper-function
+   */
+  function updateRequestOrigin(params: UpdateRequestOriginParams): void;
+
+  /**
+   * Switches to another origin already defined in the distribution by origin ID.
+   * This is more efficient than defining a new one via `updateRequestOrigin()`.
+   * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.html#select-request-origin-id-helper-function
+   */
+  function selectRequestOriginById(originId: string): void;
+
+  interface CreateRequestOriginGroupParams {
+    /**
+     * Two origin IDs to form an origin group.
+     * The first is primary; the second is used for failover.
+     */
+    originIds: [string, string];
+
+    /**
+     * Failover selection strategy: default or media-quality-score.
+     */
+    selectionCriteria?: "default" | "media-quality-score";
+
+    /**
+     * List of status codes that trigger failover to the secondary origin.
+     */
+    failoverCriteria: {
+      statusCodes: number[];
+    };
+  }
+
+  /**
+   * Creates a new origin group for failover logic.
+   * The origin group can be referenced later via origin ID.
+   * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.html#create-request-origin-group-helper-function
+   */
+  function createRequestOriginGroup(
+    params: CreateRequestOriginGroupParams,
+  ): void;
+
+  const cf: {
+    kvs: typeof kvs;
+    updateRequestOrigin: typeof updateRequestOrigin;
+    selectRequestOriginById: typeof selectRequestOriginById;
+    createRequestOriginGroup: typeof createRequestOriginGroup;
+  };
+
+  export default cf;
+}

package/src/cdk-constructs/{CloudWatchOidcAuth → CloudFrontOidcAuth}/index.ts

@@ -24,7 +24,7 @@ type Props = {
   oidcScope: string;
 };
 
-export class CloudWatchOidcAuth extends Construct {
+export class CloudFrontOidcAuth extends Construct {
   readonly oidcIssuerUrl: string;
   readonly oidcClientId: string;
   readonly oidcScope: string;
@@ -47,12 +47,6 @@ export class CloudWatchOidcAuth extends Construct {
       prefix = "/auth",
     }: { distributionDefinition: Mutable<DistributionProps>; prefix?: string },
   ) {
-    console.log(
-      "------",
-      import.meta.dirname,
-      import.meta.url,
-      import.meta.filename,
-    );
     const updatedDistributionDefinition = { ...distributionDefinition };
     const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
     updatedDistributionDefinition.additionalBehaviors =
@@ -193,12 +187,17 @@ export class CloudWatchOidcAuth extends Construct {
     }
     fn.addEnvironment("NODE_OPTIONS", "--require=@aws-sdk/signature-v4-crt");
 
-    const edgeFuncAuthCheck = new CloudFront.Function(
+    const authCheckFunction = new CloudFront.Function(
       scope,
       `${this.id}AuthCheckFunction`,
       {
         code: CloudFront.FunctionCode.fromInline(
-          fs.readFileSync(path.join(import.meta.dirname, "auth-check.js"), "utf8").replace("__placeholder-for-jwt-secret-key__", key),
+          fs
+            .readFileSync(
+              path.join(import.meta.dirname, "auth-check.js"),
+              "utf8",
+            )
+            .replace("__placeholder-for-jwt-secret-key__", key),
         ),
         runtime: CloudFront.FunctionRuntime.JS_2_0,
         keyValueStore: cfKeyValueStore,
@@ -206,7 +205,7 @@ export class CloudWatchOidcAuth extends Construct {
     );
 
     return {
-      function: edgeFuncAuthCheck,
+      function: authCheckFunction,
       eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
     };
   }
@@ -216,18 +215,22 @@ export class CloudWatchOidcAuth extends Construct {
     jwtSecret: SecretsManager.Secret,
     prefix: string,
   ): CloudFront.BehaviorOptions {
-    const edgeFuncAuth = new SST.Function(scope, `${this.id}EdgeFunctionAuth`, {
-      runtime: "nodejs20.x",
-      handler: path.join(import.meta.dirname, "auth-route.handler"),
-      environment: {
-        OIDC_ISSUER_URL: this.oidcIssuerUrl,
-        OIDC_CLIENT_ID: this.oidcClientId,
-        OIDC_SCOPE: this.oidcScope,
-        JWT_SECRET: jwtSecret.secretValue.toString(),
+    const authRouteFunction = new SST.Function(
+      scope,
+      `${this.id}AuthRouteFunction`,
+      {
+        runtime: "nodejs20.x",
+        handler: path.join(import.meta.dirname, "auth-route.handler"),
+        environment: {
+          OIDC_ISSUER_URL: this.oidcIssuerUrl,
+          OIDC_CLIENT_ID: this.oidcClientId,
+          OIDC_SCOPE: this.oidcScope,
+          JWT_SECRET: jwtSecret.secretValue.toString(),
+        },
       },
-    });
+    );
 
-    // edgeFuncAuth uses SST's AuthHandler construct which is normally run inside a lambda that's
+    // authRouteFunction uses SST's AuthHandler construct which is normally run inside a lambda that's
     // created by SST's Auth construct. AuthHandler expects certain environment variables to be set
     // by the Auth construct so we have to set them ourselves here to keep it happy.
     const envVarName = SSTInternalConfig.envFor({
@@ -235,9 +238,9 @@ export class CloudWatchOidcAuth extends Construct {
       id: "id", // It seems like the env var will still be found no matter what this value is
       prop: "prefix",
     });
-    edgeFuncAuth.addEnvironment(envVarName, prefix);
+    authRouteFunction.addEnvironment(envVarName, prefix);
 
-    const edgeFuncAuthUrl = edgeFuncAuth.addFunctionUrl({
+    const authRouteFunctionUrl = authRouteFunction.addFunctionUrl({
       authType: Lambda.FunctionUrlAuthType.NONE,
     });
     const forwardHostHeaderCfFunction = new CloudFront.Function(
@@ -257,7 +260,7 @@ export class CloudWatchOidcAuth extends Construct {
 
     return {
       origin: new CloudFrontOrigins.HttpOrigin(
-        CDK.Fn.parseDomainName(edgeFuncAuthUrl.url),
+        CDK.Fn.parseDomainName(authRouteFunctionUrl.url),
       ),
       allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
       cachePolicy: new CloudFront.CachePolicy(

package/src/cdk-constructs/index.ts

@@ -6,4 +6,4 @@ export * from "./IxStaticSite.js";
 export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
-export * from "./CloudWatchOidcAuth/index.js";
+export * from "./CloudFrontOidcAuth/index.js";

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-check.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts"],"names":[],"mappings":""}

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAsCnB,CAAC"}

package/dist/lib/utils/source-code.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=source-code.d.ts.map

package/dist/lib/utils/source-code.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"source-code.d.ts","sourceRoot":"","sources":["../../../src/lib/utils/source-code.ts"],"names":[],"mappings":""}

package/dist/lib/utils/source-code.js

@@ -1 +0,0 @@
-export {};

package/src/cdk-constructs/CloudWatchOidcAuth/cloudfront.d.ts

@@ -1,243 +0,0 @@
-// NOTE: once this is no longer needed we can remove typeRoots from tsconfig.json as well
-
-// This is a copy of @types/aws-cloudfront-function but with optional kvsId in kvs() function. We can't just modify the
-// kvs type since we can't modify the default export without messing up the rest of the types. Which is why we
-// unfortunately have to duplicate the whole file here.
-// But once https://github.com/DefinitelyTyped/DefinitelyTyped/issues/73959 is sorted we can get rid of this.
-
-declare namespace AWSCloudFrontFunction {
-    interface Event {
-        version: "1.0";
-        context: Context;
-        viewer: Viewer;
-        request: Request;
-        response: Response;
-    }
-
-    interface Context {
-        distributionDomainName: string;
-        distributionId: string;
-        eventType: "viewer-request" | "viewer-response";
-        requestId: string;
-    }
-
-    interface Viewer {
-        ip: string;
-    }
-
-    interface Request {
-        method: string;
-        uri: string;
-        querystring: ValueObject;
-        headers: ValueObject;
-        cookies: ValueObject;
-    }
-
-    interface Response {
-        statusCode: number;
-        statusDescription?: string;
-        headers?: ValueObject;
-        cookies?: ResponseCookie;
-        body?: string | ResponseBody;
-    }
-
-    interface ResponseBody {
-        data: string;
-        encoding: "text" | "base64";
-    }
-
-    interface ValueObject {
-        [name: string]: {
-            value: string;
-            multiValue?: Array<{
-                value: string;
-            }>;
-        };
-    }
-
-    interface ResponseCookie {
-        [name: string]: {
-            value: string;
-            attributes: string;
-            multiValue?: Array<{
-                value: string;
-                attributes: string;
-            }>;
-        };
-    }
-}
-
-declare module "cloudfront" {
-    /**
-     * Retrieves a reference to a CloudFront Key-Value Store (KVS) by its ID.
-     * @param kvsId The identifier of the KVS to use.
-     * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/functions-custom-methods.html
-     */
-    function kvs(kvsId?: string): KVStore;
-
-    interface KVStore {
-        /**
-         * Retrieve a value from the store.
-         * @param key Key to retrieve.
-         * @throws If key does not exist.
-         */
-        get(key: string): Promise<string>;
-        get(key: string, options: { format: "string" }): Promise<string>;
-        get(key: string, options: { format: "bytes" }): Promise<Uint8Array>;
-        get(key: string, options: { format: "json" }): Promise<unknown>;
-
-        /**
-         * Check if the key exists in the store.
-         * @param key Key to check.
-         */
-        exists(key: string): Promise<boolean>;
-
-        /**
-         * Retrieve metadata about the key-value store.
-         */
-        meta(): Promise<{
-            creationDateTime: string;
-            lastUpdatedDateTime: string;
-            keyCount: number;
-        }>;
-    }
-
-    interface OriginAccessControlConfig {
-        enabled: boolean;
-        signingBehavior: "always" | "never" | "no-override";
-        signingProtocol: "sigv4";
-        originType: "s3" | "mediapackagev2" | "mediastore" | "lambda";
-    }
-
-    interface OriginShield {
-        enabled: boolean;
-        region: string;
-    }
-
-    interface Timeouts {
-        /**
-         * Max time (seconds) to wait for a response or next packet. (1–60)
-         */
-        readTimeout?: number;
-
-        /**
-         * Max time (seconds) to keep the connection alive after response. (1–60)
-         */
-        keepAliveTimeout?: number;
-
-        /**
-         * Max time (seconds) to wait for connection establishment. (1–10)
-         */
-        connectionTimeout?: number;
-    }
-
-    interface CustomOriginConfig {
-        /**
-         * Port number of the origin. e.g., 80 or 443
-         */
-        port: number;
-
-        /**
-         * Protocol used to connect. Must be "http" or "https"
-         */
-        protocol: "http" | "https";
-
-        /**
-         * Minimum TLS/SSL version to use for HTTPS connections.
-         */
-        sslProtocols: Array<"SSLv3" | "TLSv1" | "TLSv1.1" | "TLSv1.2">;
-    }
-
-    interface UpdateRequestOriginParams {
-        /**
-         * New origin's domain name. Optional if reusing existing origin's domain.
-         */
-        domainName?: string;
-
-        /**
-         * Path prefix to append when forwarding request to origin.
-         */
-        originPath?: string;
-
-        /**
-         * Override or clear custom headers for the origin request.
-         */
-        customHeaders?: Record<string, string>;
-
-        /**
-         * Number of connection attempts (1–3).
-         */
-        connectionAttempts?: number;
-
-        /**
-         * Origin Shield configuration. Enables shield layer if specified.
-         */
-        originShield?: OriginShield;
-
-        /**
-         * Origin Access Control (OAC) configuration.
-         */
-        originAccessControlConfig?: OriginAccessControlConfig;
-
-        /**
-         * Response and connection timeout configurations.
-         */
-        timeouts?: Timeouts;
-
-        /**
-         * Settings for non-S3 origins or S3 with static website hosting.
-         */
-        customOriginConfig?: CustomOriginConfig;
-    }
-
-    /**
-     * Mutates the current request’s origin.
-     * You can specify a new origin (e.g., S3 or ALB), change custom headers, enable OAC, or enable Origin Shield.
-     * Missing fields will inherit values from the assigned origin.
-     * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.html#update-request-origin-helper-function
-     */
-    function updateRequestOrigin(params: UpdateRequestOriginParams): void;
-
-    /**
-     * Switches to another origin already defined in the distribution by origin ID.
-     * This is more efficient than defining a new one via `updateRequestOrigin()`.
-     * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.html#select-request-origin-id-helper-function
-     */
-    function selectRequestOriginById(originId: string): void;
-
-    interface CreateRequestOriginGroupParams {
-        /**
-         * Two origin IDs to form an origin group.
-         * The first is primary; the second is used for failover.
-         */
-        originIds: [string, string];
-
-        /**
-         * Failover selection strategy: default or media-quality-score.
-         */
-        selectionCriteria?: "default" | "media-quality-score";
-
-        /**
-         * List of status codes that trigger failover to the secondary origin.
-         */
-        failoverCriteria: {
-            statusCodes: number[];
-        };
-    }
-
-    /**
-     * Creates a new origin group for failover logic.
-     * The origin group can be referenced later via origin ID.
-     * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.html#create-request-origin-group-helper-function
-     */
-    function createRequestOriginGroup(params: CreateRequestOriginGroupParams): void;
-
-    const cf: {
-        kvs: typeof kvs;
-        updateRequestOrigin: typeof updateRequestOrigin;
-        selectRequestOriginById: typeof selectRequestOriginById;
-        createRequestOriginGroup: typeof createRequestOriginGroup;
-    };
-
-    export default cf;
-}